Question regarding rdr pass rule on WAN and filter rule on LAN

[sja1440]

I have an rdr rule on my WAN which uses the "pass" keyword.  This is used to port forward inward connections from the internet to a machine on the LAN interface.

According to man pf.conf the "pass" keyword means that filter rules are not evaluated. But it is not clear to me if the no-filter part only applies to filter rules on the WAN interface or does it also apply to filter rules on the LAN interface.

Does anybody know where I can find a definitive reference that defines the correct behaviour?

I have done some experiments but the results are inconclusive.

[Saarbremer]

You should re-read pf.conf's man page.

Packets that match a translation rule are only
     automatically passed if the pass modifier is given

Translation rules apply only to packets that pass through the specified
     interface, and if no interface is specified, translation is applied to
     packets on all interfaces.

No interface + 'pass' modifier = Redirect + Pass by Bypassing filters on all interfaces
Interface set to IF + 'pass' modifier = Redirect + Pass by Bypassing filters only on traffic coming in on IF.

What experiments did you conduct?

[sja1440]

Thanks for the response but I still find the man pf.conf description not clear. Let me put it another way.

I see two interpretations - assuming always that the incoming connection from the WAN is redirected to the LAN interface.

(interpretation 1)  With an rdr pass rule on my WAN interface:
      incoming filter rule defined on my WAN interface will NOT be evaluated and
      outgoing filter rule defined on my LAN interface will NOT be evaluated   
   

(interpretation2)  With an rdr pass rule on my WAN interface:
      incoming filter rule defined on my WAN interface will NOT be evaluated and
      outgoing filter rule defined on my LAN interface WILL BE evaluated   
     
Which is it?

I am asking the question because the plugin os-upnp creates rdr pass quick  rules on WAN.  If intepretation 1 is correct then I would be unable to filter in any way incoming traffic to the machine exposing its port to the internet. Unfortunately the plugin has no option to remove the "pass" keyword.  The sort of filtering I am thinking is blacklists/geographic restrictions which I prefer to have in my firewall and not implemented on each machine.

[Saarbremer]

Very interesting question. The docs are quite non-verbose on this. Even FreeBSD docs are not very helpful in this edge case.

Regarding os-upnp I have to pass. I never used it before.

[sja1440]

In the end I abandoned using os-upnp for several reasons:
* upnp-idg protocol is built on other very rich protocols and so probably has a very large attack surface
* my PCP (NAT-PMP) clients sent an expiry time of 0 (i.e. never close) whenever they shut down (bug in the client software). 
* miniupnpd (used by os-upnp) creates "rdr pass quick" rules which bypass all of my filter rules. Not acceptable for me needs.

In the end I created a monit service which implements a very simple mechanism for opening ports only when the client is active and then closes them when the client becomes inactive.